LogoRegulatory Alerts
2022-09-19

Instruction No. 240 on the Organization of the Operational Risk Management System in Credit Financial Organizations

The National Bank of Tajikistan issued Instruction No. 240 to establish mandatory minimum requirements for operational risk management systems across all licensed credit financial organizations, including banks and Islamic institutions. The regulation mandates the development of a formal risk management policy approved by the Supervisory Board, detailing clear governance structures, defined responsibilities for executive bodies and dedicated risk departments, and standardized procedures for identifying, assessing, measuring, reducing, and monitoring operational risks. It further requires organizations to maintain analytical databases of historical losses, apply recognized international assessment methods (such as statistical analysis and scorecards), implement robust internal controls and business continuity plans, and regularly report risk exposures to ensure financial stability and regulatory compliance.

National Bank of Tajikistan logo

Tajikistan

National Bank of Tajikistan

Click to view thumbnail

«Registered» by the Ministry of Justice of the Republic of Tajikistan No. 993 dated “20” November 2019. «Approved» by the Resolution of the Board of the National Bank of Tajikistan No. 128 dated “24” October 2019. Instruction No. 240 “On the Organization of the Operational Risk Management System in Credit Financial Organizations” Instruction No. 240 “On the Organization of the Operational Risk Management System in Credit Financial Organizations” (hereinafter – the Instruction) is developed in accordance with paragraph 5 of Article 42 of the Law of the Republic of Tajikistan “On the National Bank of Tajikistan” with the aim of organizing an effective operational risk management system in credit financial organizations and establishes minimum requirements for the organization of the operational risk management system’s activities, as well as methods for managing and controlling the activities of this system in credit financial organizations.

CHAPTER 1. GENERAL PROVISIONS

  1. The following main terms are used in this Instruction:
  • credit financial organizations – credit institutions and Islamic credit institutions carrying out activities provided for by law based on a license from the National Bank of Tajikistan;
  • banking operation – an operation carried out by credit financial organizations in accordance with the legislation of the Republic of Tajikistan;
  • operational risk – the occurrence of losses resulting from non-compliance of internal regulations, procedures, and banking operations with the goals, nature, and scale of activities of a credit financial organization and current legislative requirements, as well as their non-observance by employees of the credit financial organization and other persons (as a result of accidental or intentional actions or omissions), non-compliance of the capabilities and tasks of information, technological systems and other software used by credit financial organizations, as well as their failure, including as a result of external events;
  • outsourcing – a set of measures to assign the obligations for performing specific works and services of a credit financial organization (works and services not related to its main activities) to another servicing organization;
  1. Compliance with the requirements of this Instruction is mandatory for the following credit financial organizations:
  • banks and Islamic banks;
  • non-bank credit institutions and Islamic non-bank credit institutions authorized to attract deposits;
  • microdeposit credit institutions and Islamic microdeposit credit institutions.

  1. Operational risk management is part of the risk management system of a credit financial organization and includes the identification, assessment, measurement, reduction, control, and monitoring of operational risk.

  2. Factors (causes) of operational risk occurrence include:

  • accidental or intentional and deliberate actions of physical and legal persons contradicting the interests and goals of a credit financial organization;
  • imperfection of the structure of a credit financial organization regarding the distribution of powers among departments and employees, procedures for conducting, registering, accounting, and controlling banking operations, non-compliance with established rules and procedures by employees, ineffective internal control activities;
  • adverse external conditions and circumstances beyond the influence and control of a credit financial organization.
  1. Cases of operational losses resulting from the impact of various factors of operational risk are classified into the following types of losses:
  • abuse or illegal actions performed by employees or with their participation (e.g., fraud, theft, abuse of official duties, intentional concealment of evidence in conducting banking operations and other transactions, unauthorized use of information systems and resources);
  • illegal actions by third parties against a credit financial organization (e.g., falsification of payment documents and other documents, unauthorized access to information and technological systems);
  • non-compliance with labor legislation requirements (e.g., untimely payment of wages, failure to provide statutory leave, non-compliance with other provisions of labor legislation and employment contract terms) by a credit financial organization or its employees;
  • non-compliance with relevant legislation of the Republic of Tajikistan, including banking and antimonopoly legislation, legislation on combating money laundering, terrorism financing, and weapons of mass destruction proliferation financing, etc.;
  • non-performance or unacceptable performance of contractual obligations related to main activities concerning clients and other third parties;
  • non-compliance with official (business) correspondence requirements (e.g., improper use of confidential information and price fixing);
  • damage or loss of fixed assets and other material assets (as a result of terrorist acts, natural disasters, fires, and other emergencies);
  • failure of equipment and systems (e.g., disruption of workflow in an automated banking system, communication systems, equipment breakdown);
  • improper organization of activities, management and execution errors (e.g., as a result of incorrect internal rules and processes, insufficient control level, lack/imperfection of protection systems and access procedures, improper organization of information flow within a credit financial organization, non-performance by service providers/contractors before the credit financial organization, errors in input and processing of information on operations and transactions, loss of documentation), etc.
  1. Operational losses may be expressed in the following forms:
  • decrease in asset value;
  • early write-off (withdrawal) of material assets;
  • payments made based on court decisions/rulings, or decisions of bodies authorized under the legislation of the Republic of Tajikistan;
  • payments (compensations) paid to clients, counterparties, and employees of a credit financial organization for out-of-court compensation of damages caused by the fault of the credit financial organization;
  • costs incurred in restoring economic activities and eliminating deficiencies, consequences of accidents, natural disasters, and other similar cases.

CHAPTER 2. ORGANIZATIONAL FOUNDATIONS OF THE OPERATIONAL RISK MANAGEMENT SYSTEM 7. The operational risk management policy in a credit financial organization is developed taking into account the size, specifics, and scale of its operations and approved by its Supervisory Board.

  1. The operational risk management policy may be developed as a separate document or as part of the overall risk management policy of a credit financial organization and must, at minimum, include:
  • goals and objectives of operational risk management taking into account priority areas of activity;
  • main methods for identifying, assessing, measuring, reducing, controlling, and monitoring operational risk;
  • main methods for controlling, forecasting, and mitigating operational risk (taking measures to maintain risk at a level not threatening the interests of creditors, depositors, investment account holders, and the stability of the credit financial organization);
  • procedure for reporting and information exchange regarding operational risk management;
  • distribution of powers and responsibilities among the Supervisory Board, Committee for Islamic Financial Services, and executive body regarding the implementation of main operational risk management rules.

  1. The operational risk management policy is reviewed at least once a year, while rules, procedures, and other internal regulatory acts regarding operational risk management are reviewed as necessary, but at least once every two years, taking into account the level of operational risk management in a credit financial organization and international practice. These acts must be timely brought to the attention of relevant employees, who must have complete and appropriate information about their provisions.

  2. The main operational risk management rules take into account requirements provided by internal regulatory documents of a credit financial organization governing the following issues:

  • structure of a credit financial organization, distribution and delegation of powers, official duties, interaction procedures between structural departments, employees, and information exchange procedures;
  • rules, procedures, and processes for conducting banking operations and other transactions, accounting policy, organization of internal processes;
  • rules, procedures, and processes for the operation of technical, information, and other systems;
  • procedures for developing and submitting reports and other information;
  • employee incentive system and other relevant issues. When a credit financial organization makes changes and additions to internal regulatory acts or adopts them in a new edition, their compliance with the operational risk management policy is ensured.
  1. A credit financial organization develops and adopts internal regulatory documents regarding the following issues to limit operational risk:
  • concerning all types of operations carried out by a credit financial organization;
  • regarding the physical security of assets, including requirements for administrative buildings housing structural departments, vaults, safes, documents and archives, as well as measures to ensure physical security of equipment and information technology;
  • concerning the receipt, storage, and transportation of cash and other valuables;
  • regarding information-technology systems;
  • concerning the use of outsourcing;
  • business continuity and/or recovery plans.
  1. The Supervisory Board of a credit financial organization bears primary responsibility for operational risk management and, to create conditions for effective operational risk management, possesses the following powers:
  • approving the operational risk management policy;
  • establishing an organizational structure of a credit financial organization that meets key operational risk management rules;
  • organizing full control and periodic inspections by the internal audit service regarding compliance with key operational risk management rules by the executive body and structural departments of a credit financial organization;
  • approving measures to ensure continuous operations within banking activities and other transactions, including contingency action plans (business continuity and/or recovery plans);
  • assessing the effectiveness of the operational risk management system;
  • controlling the activities of the executive body of credit financial organizations in the direction of effective operational risk management.
  1. To ensure effective operational risk management, the executive body of a credit financial organization possesses the following powers:
  • adopting internal regulatory documents defining the order, rules, and/or procedures for operational risk management in accordance with the operational risk management policy approved by the Supervisory Board;
  • distributing powers and responsibilities for operational risk management among heads of structural departments at different levels, providing them with necessary resources, defining interaction and reporting procedures;
  • regularly assessing the operational risk management policy and submitting proposals for its improvement and implementation;
  • in case of losses resulting from operational risk, organizing internal inspections to identify deficiencies in the operational risk management system and submitting proposals to the Supervisory Board on ways to eliminate identified gaps.

  1. Taking into account the specifics and scale of activities, as well as to concentrate resources and efforts on operational risk management, a credit financial organization creates or appoints a structural department or responsible employee who carries out centralized coordination and management of operational risk.

  2. Employees of the structural department or the responsible employee for operational risk management must possess necessary skills, knowledge, and experience corresponding to the complexity level of operations and activities of a credit financial organization.

  3. The structural department or responsible employee for operational risk management performs the following tasks:

  • submitting a report on the state of operational risk and its management system in a credit financial organization to the Supervisory Board and executive body at least once a quarter;
  • immediately notifying the Supervisory Board of all cases of non-compliance with legislation or regulatory legal acts and any correspondence from the National Bank of Tajikistan related to non-compliance. The Supervisory Board is obliged to ensure the adoption of corrective measures and require amendments and additions to rules, procedures, processes, and internal control mechanisms to prevent recurrence of such deficiencies.

  1. Internal regulatory documents of a credit financial organization define the powers and interaction procedures of the structural department or responsible employee for operational risk management with other departments conducting banking operations and other transactions and responsible for managing other banking risks (credit/investment, market, and other risks), as well as cooperation with internal control staff.

  2. A credit financial organization adopts and implements internal procedures to enhance the knowledge and skills of employees, including in connection with their performance of duties in the field of operational risk management, as well as their motivation to identify factors (causes) of operational risk.

CHAPTER 3. IDENTIFICATION OF OPERATIONAL RISK 19. Identification of operational risk denotes the analysis of all circumstances of a credit financial organization’s activities regarding the presence or potential realization of operational risk factors provided for in paragraph 4 of this Instruction. Such analysis is conducted within the following stages:

  • analysis of general changes in the financial sector (e.g., implementation of new technology or financial innovations) that may affect the activities of credit financial organizations;
  • analysis of exposure of activity areas to operational risk taking into account their priority (development of risk profiles for credit financial organizations);
  • analysis of individual operations and other transactions of a credit financial organization;
  • analysis of internal procedures, including the reporting system and information exchange.

  1. At the stage of identifying operational risk, special attention should be paid to cases of combined powers and responsibilities among structural departments of credit financial organizations.

  2. To identify operational risk factors during the development of innovations in credit financial organizations, including when amending organizational structure or internal regulatory acts, implementing new technologies and services (including using outsourcing), and realizing new activity areas, the structural department or responsible employee for operational risk management conducts a detailed analysis of these factors.

  3. To ensure conditions for proper identification and assessment of operational risk, a credit financial organization organizes an analytical database of realized operational losses, which records information on the forms and volumes of losses from a specific type of banking activity, operation, and other transactions, as well as cases of risk occurrence and identification. When organizing the analytical database, to simplify and compare information, classification of operational loss cases provided for in paragraph 5 of this Instruction and classification of activity areas of credit financial organizations may be used. The procedure for collecting information on operational losses, the presentation form, and content requirements for data entered into the analytical database are determined in internal regulatory acts of a credit financial organization.

  4. In addition to maintaining an analytical database on operational risk, credit financial organizations also conduct regular collection of information about cases of operational losses from various sources and other credit financial organizations and perform their analysis.

CHAPTER 4. ASSESSMENT AND MEASUREMENT OF OPERATIONAL RISK 24. Assessment of operational risk implies the probability of occurrence of events or cases leading to operational losses, as well as the assessment of the volume of potential losses.

  1. Methods for assessing operational risk are defined in internal regulatory documents of credit financial organizations. Credit financial organizations may independently develop methods for assessing operational risk or apply methods accepted in international banking practice. The following methods are applied in international banking practice:
  • statistical analysis of the distribution of actual losses;
  • weighted risk assessment method (scorecard method);
  • modeling (analysis based on conditional forecasts).

  1. Methods based on statistical analysis of the distribution of actual losses allow forecasting potential operational losses taking into account the sum of operational losses that occurred in credit financial organizations in the past. When applying these methods, information collected in the analytical database regarding operational losses is used as initial data.

  2. The essence of the weighted risk assessment method lies in evaluating operational risk compared to measures taken to reduce it. Information indicators for managing operational risks are selected based on expert analysis and their relative importance (weighted coefficient) is determined. Then, the selected indicators are translated into a table (scorecard) and evaluated using various levels. The obtained results are processed taking into account the weighted coefficient and compared with each other across activity areas of credit financial organizations, individual types of banking operations, and other transactions. Application of the weighted risk assessment method (scorecard method), along with operational risk assessment, also allows identifying negative and positive aspects of operational risk management.

  3. Using the modeling method (analysis based on conditional forecasts) based on expert analysis, possible scenarios for the occurrence of events or cases related to operational risk are determined regarding activity areas of credit financial organizations, individual types of banking operations, and other transactions; a model for the distribution of frequency of occurrence and loss volume is developed, which is subsequently used to assess operational risk.

  4. A credit financial organization conducts regular assessment of operational risk within the organization itself and classifies it by activity areas, internal processes, information-communication technology systems, and banking operations and services. The frequency of operational risk assessment is determined based on internal regulatory acts of credit financial organizations.

CHAPTER 5. REDUCTION AND CONTROL OF OPERATIONAL RISK 30. Reduction of operational risk represents the adoption of a set of measures to reduce the probability of occurrence of events or cases related to operational risks and/or reduce or limit the volume of possible operational losses. In this case, methods for reducing operational risk are applied taking into account the characteristics and scale of activities of credit financial organizations.

  1. The main method for reducing operational risk, controlled at the level of credit financial organizations, is the development of an organizational structure and adoption of internal rules and procedures for conducting each banking operation and other transactions, taking into account the reduction and prevention of the probability of occurrence of operational risk factors. In this case, special attention is paid to compliance with the method of distributing powers, approval (agreement) procedures, and reporting on all banking operations and other transactions.

  2. Control over compliance with established rules and procedures within the internal control system is carried out in the following areas:

  • compliance with established norms for conducting banking operations and other transactions;
  • regular comparison of primary documents and accounts for banking operations and other transactions that are performed and/or concluded;
  • compliance with the established procedure for accessing information and material assets of credit financial organizations;
  • effective training and preparation of employees.

  1. The development of banking technology automation and information security systems can contribute to reducing the level of operational risk. In this case, credit financial organizations are obliged to take into account the conversion of potential operational risk, as despite manual processing increasing the probability of damage (e.g., data entry errors), the volume of possible losses is small or insignificant, with higher automation levels the probability of damage occurrence decreases, however, the volume of possible damage may become very large (e.g., software errors or system disruptions).

  2. The level of individual types of operational risk may be reduced by transferring the risk or its part to third parties, provided that such transfer of risk does not contradict the requirements of the legislation of the Republic of Tajikistan. The decision to use risk transfer mechanisms (for example, outsourcing) is made based on detailed analysis results and taking into account expected costs, cost, and the possibility of converting one type of risk into another. Along with controlling the level of residual risk, credit financial organizations also control the size of transferred operational risk.

  3. When using outsourcing, attention is paid to the fact that credit financial organizations are responsible not only for the final results of activities but also for the methods of achieving them. In this regard, implementation of

Share